<%@ include file="/common/taglibs.jsp"%>

<head>
	<title><fmt:message key="mainMenu.title" /></title>
	<script type="text/javascript" src="<%=request.getContextPath()%>/scripts/vuln-comments.js"></script>
	<meta name="heading" content="<fmt:message key='mainMenu.heading'/>" />
	<script type="text/javascript" src="<%=request.getContextPath()%>/scripts/toggle.js"></script>
</head>

<body id="apps">
	<spring:url value="../../{applicationId}" var="applicationUrl">
		<spring:param name="applicationId" value="${ vulnerability.application.id }" />
	</spring:url>
	
	<h2>Vulnerability Details</h2>
	
	<a id="firstBackToApplicationLink" href="${ fn:escapeXml(applicationUrl) }">
		Back to Application <c:out value="${ vulnerability.application.name }"/>
	</a>
	
	<br>
	
	<div id="helpText">
		This page lists information about a specific Vulnerability.
	</div>
	
	<br>
	
	<spring:url value="http://cwe.mitre.org/data/definitions/{vulnId}.html" var="cweUrl">
		<spring:param name="vulnId" value="${ vulnerability.genericVulnerability.id }" />
	</spring:url>
	<a id="cweLink" href="${ fn:escapeXml(cweUrl) }" target="_blank">
		CWE Entry for CWE-<c:out value="${ vulnerability.genericVulnerability.id }"/>: <c:out value="${ vulnerability.genericVulnerability.name }"/>
	</a>
	
	<table class="dataTable">
		<tr>
			<td class="label">Generic Vulnerability:</td>
			<td class="inputValue"><c:out value="${ vulnerability.genericVulnerability.name }"/></td>
		</tr>
		<tr>
			<td class="label">Generic Severity:</td>
			<td class="inputValue"><c:out value="${ vulnerability.genericSeverity.name }"/></td>
		</tr>
	</table>
	
	<div style="padding-top:25px">
		<spring:url value="../../../applications/{applicationId}" var="applicationUrl">
			<spring:param name="applicationId" value="${ vulnerability.application.id }"/>
		</spring:url>
		<a id="backToApplicationLink" href="${ fn:escapeXml(applicationUrl) }">
			Back to Application <c:out value="${ vulnerability.application.name }"/>
		</a>
		<c:if test="${ not empty vulnerability.defect }">
			<br/>
			<spring:url value="../../../applications/{applicationId}/vulnerabilities/{vulnerabilityId}/defect" var="defectUrl">
				<spring:param name="applicationId" value="${ vulnerability.application.id }"/>
				<spring:param name="vulnerabilityId" value="${ vulnerability.id }"/>
			</spring:url>
			<a id="viewDefectLink" href="${ fn:escapeXml(defectUrl) }">View Defect</a>
		</c:if>

		<c:if test="${ canModifyVulnerabilities }">
			<br />
			<c:if test="${ vulnerability.active }">
				<spring:url
					value="../../../applications/{applicationId}/vulnerabilities/{vulnerabilityId}/close"
					var="closeUrl">
					<spring:param name="applicationId"
						value="${ vulnerability.application.id }" />
					<spring:param name="vulnerabilityId" value="${ vulnerability.id }" />
				</spring:url>
				<a id="closeVulnerabilityLink" href="${ fn:escapeXml(closeUrl) }">Close Vulnerability</a>
			</c:if>
			<c:if test="${ not vulnerability.active }">
				<spring:url
					value="../../../applications/{applicationId}/vulnerabilities/{vulnerabilityId}/open"
					var="closeUrl">
					<spring:param name="applicationId"
						value="${ vulnerability.application.id }" />
					<spring:param name="vulnerabilityId" value="${ vulnerability.id }" />
				</spring:url>
				<a id="openVulnerabilityLink" href="${ fn:escapeXml(closeUrl) }">Open Vulnerability</a>
			</c:if>
			<br />
			<c:if test="${ not vulnerability.isFalsePositive }">
				<spring:url
					value="../../../applications/{applicationId}/vulnerabilities/{vulnerabilityId}/markFalsePositive"
					var="closeUrl">
					<spring:param name="applicationId"
						value="${ vulnerability.application.id }" />
					<spring:param name="vulnerabilityId" value="${ vulnerability.id }" />
				</spring:url>
				<a id="markFalsePositiveLink" href="${ fn:escapeXml(closeUrl) }">Mark as False Positive</a>
			</c:if>
			<c:if test="${ vulnerability.isFalsePositive }">
				<spring:url
					value="../../../applications/{applicationId}/vulnerabilities/{vulnerabilityId}/markNotFalsePositive"
					var="closeUrl">
					<spring:param name="applicationId"
						value="${ vulnerability.application.id }" />
					<spring:param name="vulnerabilityId" value="${ vulnerability.id }" />
				</spring:url>
				<a id="unmarkFalsePositiveLink" href="${ fn:escapeXml(closeUrl) }">Unmark False Positive</a>
			</c:if>
		</c:if>
	</div>

	<c:if test="${not empty timeArray}">
		<h3>Status History</h3>
		<table class="formattedTable">
			<thead>
				<tr>
					<th class="first">Event</th>
					<th class="middle">Date</th>
					<th class="last"># Days</th>
				</tr>
			</thead>
			<tbody>
				<tr class="bodyRow">
					<td>Opened</td>
					<td id="vulnOpenTime"><fmt:formatDate value="${ vulnerability.openTime.time }"
							type="both" dateStyle="short" timeStyle="medium" /></td>
					<td><c:out value="${timeArray[0]}" /></td>
				</tr>
				<tr class="bodyRow">
					<td>WAF rule generated</td>
					<td id="vulnWafRuleTime"><fmt:formatDate
							value="${ vulnerability.wafRuleGeneratedTime.time }" type="both"
							dateStyle="short" timeStyle="medium" /></td>
					<td><c:out value="${timeArray[1]}" /></td>
				</tr>
				<tr class="bodyRow">
					<td>Submitted to tracker</td>
					<td id="vulnDefectSubmittedTime"><fmt:formatDate
							value="${ vulnerability.defectSubmittedTime.time }" type="both"
							dateStyle="short" timeStyle="medium" /></td>
					<td><c:out value="${timeArray[2]}" /></td>
				</tr>
				<tr class="bodyRow">
					<td>Marked as closed by tracker</td>
					<td id="vulnClosedInTrackerTime"><fmt:formatDate
							value="${ vulnerability.defectClosedTime.time }" type="both"
							dateStyle="short" timeStyle="medium" /></td>
					<td><c:out value="${timeArray[3]}" /></td>
				</tr>
				<tr class="bodyRow">
					<td><c:choose>
							<c:when test="${vulnerability.foundByScanner}">Found closed by scanner</c:when>
							<c:otherwise>Marked closed</c:otherwise>
						</c:choose></td>
					<td id="vulnCloseTime"><fmt:formatDate value="${ vulnerability.closeTime.time }"
							type="both" dateStyle="short" timeStyle="medium" /></td>
					<td><c:out value="${timeArray[4]}" /></td>
				</tr>

			</tbody>
		</table>
	</c:if>
	
	<c:set var="editVisible" value="false"/>
	
	<c:forEach var="finding" items="${ vulnerability.findings }">
	    <c:if test="${ finding.scan.applicationChannel.channelType.name == 'Manual'}">
			<c:set var="editVisible" value="true"/>
		</c:if>
	</c:forEach>

	<c:if test="${not empty vulnerability.findings}">
		<h3>Scan History</h3>
		<table class="formattedTable">
			<thead>
				<tr>
					<th class="first">Channel</th>
					<th>Scan Date</th>
					<th class="last">User</th>
				</tr>
			</thead>
			<tbody>
				<c:forEach var="finding" items="${ vulnerability.findings }" varStatus="status">
					<tr class="bodyRow">
						<td id="scan${ status.count }ChannelType"><c:out
								value="${ finding.scan.applicationChannel.channelType.name }" /></td>
						<td id="scan${ status.count }ImportTime"><fmt:formatDate value="${ finding.scan.importTime.time }"
								type="both" dateStyle="short" timeStyle="medium" /></td>
						<td id="scan${ status.count }ChannelType${ status.count }"><c:if test="${ not empty finding.scan.user }">
								<!-- Got info from scan, the normal case -->
								<c:out value="${ finding.scan.user.name}" />
							</c:if> <c:if
								test="${ empty finding.scan.user and not empty finding.user }">
								<!-- Got info from finding, probably a manual scan -->
								<c:out value="${ finding.user.name}" />
							</c:if> <c:if test="${ empty finding.scan.user and empty finding.user }">
						No user found. Probably a remote scan.
					</c:if></td>
					</tr>
				</c:forEach>
				<tr class="footer">
					<td colspan="2" class="last pagination" style="text-align: right"></td>
				</tr>
			</tbody>
		</table>
	</c:if>

	<c:if test="${not empty vulnerability.findings}">
		<h3>Findings</h3>
		<table class="formattedTable sortable" id="2">
			<thead>
				<tr>
					<th class="first">Scanner Name</th>
					<th>Severity</th>
					<th>Vulnerability Type</th>
					<th>Path</th>
					<th>Parameter</th>
					<c:if test="${ editVisible }">				
						<th>Number Merged Results</th>
						<th class="last">Edit</th>
					</c:if>
					<c:if test="${ not editVisible }">				
						<th class="last">Number Merged Results</th>
					</c:if>
				</tr>
			</thead>
			<tbody>
				<c:forEach var="finding" items="${ vulnerability.findings }" varStatus="status">
					<tr class="bodyRow">
						<td id="scannerName${ status.count }"><c:out
								value="${ finding.scan.applicationChannel.channelType.name }" />
						</td>
						<td id="severityName${ status.count }"><c:out value="${ finding.channelSeverity.name }" /></td>
						<td id="vulnName${ status.count }"><spring:url value="../scans/{scanId}/findings/{findingId}" var="findingUrl">
								<spring:param name="scanId" value="${ finding.scan.id }" />
								<spring:param name="findingId" value="${ finding.id }" />
							</spring:url> <a href="${ fn:escapeXml(findingUrl) }"> <c:out
									value="${ finding.channelVulnerability.name }" />
						</a></td>
						<td id="path${ status.count }"><c:out value="${ finding.surfaceLocation.path }" /></td>
						<td id="parameter${ status.count }"><c:out value="${ finding.surfaceLocation.parameter }" />
						</td>
						<td id="numResults${ status.count }"><c:out value="${ finding.numberMergedResults }" /></td>
						<c:if test="${ editVisible }">
							<td>
								<c:if test="${ finding.scan.applicationChannel.channelType.name == 'Manual'}">
									<spring:url value="../manual/{findingId}" var="editUrl">
										<spring:param name="findingId" value="${ finding.id }" />
									</spring:url> 
									<a id="editLink" href="${ fn:escapeXml(editUrl) }">Edit</a>
								</c:if>
							</td>
						</c:if>
					</tr>
				</c:forEach>
			</tbody>
			<tfoot>
				<tr class="footer">
					<td colspan="4" class="pagination" style="text-align: right"></td>
				</tr>
			</tfoot>
		</table>
	</c:if>

	<c:if test="${not empty staticFindingList}">
		<h3>Data Flow Variants</h3>
		<c:forEach var="finding" items="${staticFindingList}" varStatus="findingStatus">
			<c:if test="${ not empty finding.dataFlowElements }">
				<a href="javascript:toggleid('<c:out value="${ finding.id }"/>');">Toggle
					finding <c:out value="${ finding.id }" /> data flow (Elements: <c:out
						value="${ fn:length(finding.dataFlowElements) }" />)
				</a>
				<br />

				<div id='<c:out value="${ finding.id }"/>' style="display: none;">
					<h3>
						Finding
						<c:out value="${ finding.id }" />
						Data Flow
					</h3>
					<c:forEach var="dataFlowElement" varStatus="dataFlowElementStatus"
						items="${finding.dataFlowElements}">
						<table class="dataTable">
							<tr>
								<td class="label">File Name:</td>
								<td id="finding${ findingStatus.count }SourceFileName${ dataFlowElementStatus.count }" 
									class="inputValue"><c:out value="${ dataFlowElement.sourceFileName }" /></td>
							</tr>
							<tr>
								<td class="label">Line number:</td>
								<td id="finding${ findingStatus.count }LineNumber${ dataFlowElementStatus.count }" 
									class="inputValue"><c:out value="${ dataFlowElement.lineNumber }" /></td>
							</tr>
							<tr>
								<td class="label">Line text:</td>
								<td id="finding${ findingStatus.count }LineText${ dataFlowElementStatus.count }" 
									class="inputValue"><c:out value="${ dataFlowElement.lineText }" /></td>
							</tr>
							<tr>
								<td></td>
							</tr>
						</table>
					</c:forEach>
				</div>
			</c:if>
		</c:forEach>
	</c:if>

	<c:if
		test="${ not empty singleStaticFinding and not empty singleStaticFinding.dataFlowElements }">
		<h3>Data Flow</h3>
		<c:forEach var="dataFlowElement" varStatus="status"
			items="${singleStaticFinding.dataFlowElements}">
			<table class="dataTable">
				<tr>
					<td class="label">File Name:</td>
					<td id="sourceFileName${ status.count }" class="inputValue"><c:out
							value="${ dataFlowElement.sourceFileName }" /></td>
				</tr>
				<tr>
					<td class="label">Line number:</td>
					<td id="lineNumber${ status.count }" class="inputValue"><c:out
							value="${ dataFlowElement.lineNumber }" /></td>
				</tr>
				<tr>
					<td class="label">Line text:</td>
					<td id="lineText${ status.count }" class="inputValue"><c:out
							value="${ dataFlowElement.lineText }" /></td>
				</tr>
				<tr>
					<td></td>
				</tr>
			</table>
		</c:forEach>
	</c:if>

	<c:if test="${not empty surfaceLocation}">
		<h3>Surface Location</h3>
		<table class="dataTable">
			<tr>
				<td class="label">Host:</td>
				<td id="host" class="inputValue"><c:out value="${ surfaceLocation.host }" /></td>
			</tr>
			<tr>
				<td class="label">Path:</td>
				<td id="path" class="inputValue"><c:out value="${ surfaceLocation.path }" /></td>
			</tr>
			<tr>
				<td class="label">Protocol:</td>
				<td id="protocol" class="inputValue"><c:out
						value="${ surfaceLocation.protocol }" /></td>
			</tr>
			<tr>
				<td class="label">Port:</td>
				<td id="port" class="inputValue"><c:if
						test="${ surfaceLocation.port != -1 }">
						<c:out value="${ surfaceLocation.port }" />
					</c:if></td>
			</tr>
			<tr>
				<td class="label">Query:</td>
				<td id="query" class="inputValue"><c:out
						value="${ surfaceLocation.query }" /></td>
			</tr>
			<tr>
				<td class="label">Parameter:</td>
				<td id="parameter" class="inputValue"><c:out
						value="${ surfaceLocation.parameter }" /></td>
			</tr>
		</table>
	</c:if>
	
	<br/>
	
	<div id="commentDiv">
	
		<h3>Comments</h3>

		<c:if test="${ not empty comments }">
			<table class="formattedTable">
				<thead>
					<tr>
						<th class="first"></th>
						<th>User</th>
						<th>Date</th>
						<th class="last">Comment</th>
					<tr>
				</thead>
				<tbody>
					<c:forEach var="comment" items="${comments}" varStatus="status">
						<tr class="bodyRow">
							<td id="commentNum${ status.count }"><c:out value="${ status.count }" /></td>
							<td id="commentUser${ status.count }"><c:out value="${ comment.user.name }" /></td>
							<td id="commentDate${ status.count }"><fmt:formatDate value="${ comment.time }"
									pattern="hh:mm:ss MM/dd/yyyy" /></td>
							<td id="commentText${ status.count }"><c:out value="${ comment.comment }" /></td>
						</tr>
					</c:forEach>
				</tbody>
			</table>
		</c:if>
	
		<spring:url value="../../../applications/{applicationId}/vulnerabilities/{vulnerabilityId}/addComment" var="commentUrl">
			<spring:param name="applicationId" value="${ vulnerability.application.id }" />
			<spring:param name="vulnerabilityId" value="${ vulnerability.id }" />
		</spring:url>
		<form id="addCommentForm" method="post" action="${ fn:escapeXml(commentUrl) }">
			<textarea style="margin-top:10px" id="commentInputBox" name="comments"></textarea><br/>
			<input onclick="javascript:addComment('${ fn:escapeXml(commentUrl) }');return false;" style="margin-top:10px" id="addCommentButton" type="button" value="Add Comment" />
		</form>
	</div>
</body>

